Remove delay after entering a wrong password

Hi to all!

It’s possible to remove 3s delay when entering wrong password?
ex in
su -
command?

I’ve try to configure pam_unix and su module but it doesn’to work.

My system-auth file:

#%PAM-1.0

#auth required pam_faillock.so preauth
#Optionally use requisite above if you do not want to prompt for the password on locked accounts.

-auth [success=2 default=ignore] pam_systemd_home.so
auth [success=1 default=bad] pam_unix.so try_first_pass nullok nodelay
#auth [default=die] pam_faillock.so authfail
auth optional pam_permit.so
auth required pam_env.so
#auth required pam_faillock.so authsucc
#If you drop the above call to pam_faillock.so the lock will be done also on non-consecutive authentication failures.

-account [success=1 default=ignore] pam_systemd_home.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so

-password [success=1 default=ignore] pam_systemd_home.so
password required pam_unix.so try_first_pass nullok shadow
password optional pam_permit.so

-session optional pam_systemd_home.so
session required pam_limits.so
session required pam_unix.so
session optional pam_permit.so

My /etc/pam.d/su file:

#%PAM-1.0
auth sufficient pam_rootok.so
#Uncomment the following line to implicitly trust users in the “wheel” group.
#auth sufficient pam_wheel.so trust use_uid
#Uncomment the following line to require a user to be in the “wheel” group.
#auth required pam_wheel.so use_uid
auth required pam_unix.so nodelay
account required pam_unix.so
session required pam_unix.so
password include system-auth

When i type a wrong pass, there are 2,3 sec of delay:

[myuser@myhost ~]$ time su -
Password:
su: Autenticazione non riuscita

real 0m3,265s
user 0m0,008s
sys 0m0,008s

Bug or wrong pam config?
Thanks to all

My Manjaro info:

Operating System: Manjaro Linux
KDE Plasma Version: 6.0.4
KDE Frameworks Version: 6.1.0
Qt Version: 6.7.0
Kernel Version: 6.9.0-MANJARO (64-bit)
Graphics Platform: X11

Set desired FAIL_DELAY in /etc/login.defs or use pam_faildelay if you want set delay only on specific use Security - ArchWiki

3 Likes

Thanks Tomek,
but i’ve already disabled FAIL_DELAY in /etc/login.defs and…i don’t want to enable any delay! :slight_smile:

i would like to disable any delay!

but delay was still present:

[luser@lhost.gmmg ~]$ time su -
Password: 
su: Authentication failed

real    0m3,059s
user    0m0,012s
sys     0m0,004s

Edit /etc/pam.d/su to add:

auth optional pam_faildelay.so delay=0 

That should work for su, it has no effect on sudo.

If you want to remove fail-delay for sudo, edit /etc/pam.d/sudo to add the same line.

1 Like

:frowning: doesn’t work!

and

That works for me on VM :person_shrugging:

$ time su
Password: 
su: Authentication failure

real    0m1,466s
user    0m0,000s
sys     0m0,005s

Again:

$ time su -
Password: 
su: Authentication failure

real    0m2,017s
user    0m0,002s
sys     0m0,003s

Time = Entering your password is slow + su process time depends on your CPU speed + No delay in config.


Edit://

That should be expected.

For me, changing FAIL_DELAY to 0 in /etc/login.defs, reduced it from ~5s to ~2s.

You’ll always have some delay.

1 Like

This should be the place to look at and adjust.

/etc/security/faillock.conf

choice of search terms can often decrease the amount of results to sift throug
I just used decrease instead of remove …

Of course it was not the first hit - it seldom is.

@dmt yes! me too

Now, you just need to decide whose post to mark as the solution; I notice that @Zesko stated the obvious before anyone else:

And another…

Allow me to add, for the sake of clarity…

Setting delay=0 does work.

The additional delay is caused by the usual performance bottlenecks of your system. There is little to be done about that, apart from fine tuning your BIOS and System to maximise performance; or perhaps buying a bitcoin rated graphics card and a high performance computer.

2 Likes

UPDATE:

with this config:

[myuser@myhost /]# grep FAIL_DELAY /etc/login.defs 
FAIL_DELAY              0
[myuser@myhost /]# cat /etc/pam.d/su
#%PAM-1.0
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            required        pam_unix.so
auth       optional   pam_faildelay.so  delay=0
account         required        pam_unix.so
session         required        pam_unix.so
password        include         system-auth

delay was still about 3s:

[myuser@myhost ~]$ time su -
Password: 
su: Autenticazione non riuscita

real    0m2,593s
user    0m0,008s
sys     0m0,008s

OK!! I SOLVED!! :))

Problem was that i was editing wrong pam.d file! :frowning:

su - setting was in /etc/pam.d/su-l file!!
I’ve add nodelay in line

auth            required        pam_unix.so nodelay

Thanks to all!

1 Like

This topic was automatically closed 36 hours after the last reply. New replies are no longer allowed.